In This Section: |
The Application Control blade restricts network access for specified applications. The Endpoint Security administrator defines policies and rules that allow, block or terminate applications and processes. Only applications that try to get network access can be blocked or terminated. If specified in an Application Control rule, an alert shows which application was blocked or terminated.
You can also enable the Reputation Service (previously called the Program Advisor) to recommend applications to allow or block.
Configure which applications are allowed, blocked, or terminated and what happens when applications are not identified.
To configure the allowed applications:
To configure the blocked applications:
To configure terminated applications:
If you block unidentified applications, users can only access applications that are included in the Allowed Apps List. If you allow unidentified applications, users can access all applications that are not on the blocked or terminated list. If you choose to allow unidentified traffic, make sure your blocked and terminated lists are complete.
To configure what happens to unidentified applications:
In the Policy tab > Application Control rule, select Block Unidentified Applications, or right click and select Allow Unidentified applications.
Terminated applications are not allowed to pass through the firewall.
The Check Point Reputation Service is an online service that automatically creates recommended rules that block or allow common applications. These rules are based on the recommendations of Check Point security experts. This feature reduces your workload while improving security and usability.
Note - Your Endpoint Security Management Server must have Internet access (on ports 80 and 443) to connect to the Check Point Reputation Service Server. Make sure that your firewall allows this traffic. We recommend that you add the Reputation Service Server to your Trusted Zone. |
To see the recommendations of the Reputation Service for safe applications:
A list of applications with a good reputation, generated by the Reputation Service, opens. You can move applications to the Block or Terminate list.
To see the recommendations of the Reputation Service for malicious applications:
A list of malicious applications, generated by the Reputation Service, opens. You can move applications to the Block or Allow list.
If your environment includes a proxy server for Internet access, do the configuration steps below to let the Endpoint Security Management Server connect to the Check Point Reputation Service Server through the proxy server. Note that all configuration entries are case-sensitive.
If your organization uses a proxy server for HTTP and HTTPS traffic, you must configure the Endpoint Security Management Server to work with the proxy server.
To configure use of a proxy server:
cpstop.
$UEPMDIR/engine/conf
and open the local.properties
file in a text editor.http.proxy.host=<IP address>
http.proxy.port=<port>
Do not add these lines if authentication is not required.
http.proxy.user=<username>
http.proxy.password=<password>
Make sure that you delete (or do not insert) the '#' character at the beginning of these lines. If you do not do this, all applications are blocked when trying to access the Internet.
$UEPMDIR/engine/conf/local.properties
and then close the text editor.cpstart
.The Appscan
command lets you automatically create Application Control rules for common applications and operating system files on endpoint computers network. This is especially useful when you have a clean standard image.
You can import a list of programs identified by their checksums, instead of by filename. Checksums are unique identifiers for programs that cannot be forged. This prevents malicious programs from masquerading as other, innocuous programs.
Create an Appscan for each disk image used in your environment. You can then create rules that will apply to those applications. You create Appscan files by running the appscan.exe utility on a computer with a tightly-controlled disk image, then importing the file into Endpoint Security.
Before you can use Appscan
, set up a Windows computer with the typical applications used on protected computers in your organization. If you have several different configurations, perform these steps for each.
Important - The computer you scan to create an Appscan must be free of all malware. If you are certain that your scan is clean, you can create rules that allow the applications access to the network. |
To run Appscan from the command line:
appscan
tool
from sk108536, to the root directory (typically c:\
) of the baseline reference source computer.\program files
).appscan
with the applicable parameters.When the scan is complete, an output file (Default = scanfile.xml
) is created in the specified directory.
Description
Scans the host computer and creates an XML file that contains a list of executable programs and their checksums. This XML file is used by the Check Point Reputation Service to create recommended rules to block or allow common applications.
Syntax
Appscan [/o <filename> /s <target directory> /x <extension strung /e /a /p
/verbose /warnings /?]
Parameters
Parameter |
Description |
---|---|
|
Output file name and path. |
|
Sends output to the specified file name. If no file name is specified, |
|
Specifies the directory, including all subdirectories, to scan.
|
|
Specifies the file extension(s) to include in the scan.
|
|
Include all executable files in the specified directory regardless of the extension. Do not use |
|
Includes additional file properties for each executable. |
|
Shows progress messages during the scan. |
|
Shows progress and error messages during the scan. |
|
Shows warning messages during the scan. |
|
Shows the command syntax and help text. |
Examples
appscan /o scan1.xml
This scan, by default, includes .exe files in the current directory and is saved as scan1.xml.
appscan /o scan2.xml /x ".exe;.dll" /s "C:\"
This scan includes all .exe and .dll files on drive C and is saved as scan2.xml.
appscan /o scan3.xml /x ".dll" /s c:\program files
This scan included all .dll files in c:\program files
and all its subdirectories. It is saved as scan3.xml
.
appscan /s "C:\program files" /e
This scan includes all executable files in c:\program files
and all its subdirectories. It is saved as the default file name scanfile.xml
.
After you generate the Appscan XML file, you import it to the Endpoint Security Management Server.
Note - You must remove all special characters, such as trademarks or copyright symbols, from the XML file before importing it. |
To import an Appscan XML file:
When applications included in the imported file are found on endpoint computers, they are automatically added to the Allowed or Block applications group.